N.Y. Regulators Weigh Cybersecurity Requirements for Banks, Insurers (Insurance Journal): According to a recent report in Insurance Journal, New York Financial Services (“NYFS”) Superintendent Anthony Albanese, indicated that “robust regulation” is needed to address cybersecurity needs within the banking and insurance industry. This article indicates that the NYFS recommendation is the result of a survey of more than 150 banks and nearly 50 insurers. The agency’s findings include:

Companies have taken significant steps to address cybersecurity; however the rapid pace of technological change coupled with an increasingly sophisticated threat landscape will pose enduring challenges,

Regulated entities would need to implement audit logging that would include privileged user access and anti-log tampering controls

Any breached entity would be required to notify NYFS of any security incident that the entity believes “… has a reasonable likelihood of materially affecting the normal operation of the entity, including any cyber security incident”.

Overall, any agency action that spurs thoughtful and relevant dialogue with respect to cybersecurity is probably not a bad thing. That being said, I worry that the creation of industry specific solutions to cybersecurity will invariably, by design, create weak spots in our cybersecurity armor. It seems that cybersecurity is the latest “flavor of the month” and everyone wants to jump on the bandwagon from industry professionals to academics, to folks running for political office. This is worrisome on a number of levels:

cybersecurity is a discipline that covers both technology as well as the human element, trying to focus on one of these pieces solely and exclusively just is not effective,

on the technical side, one must balance the ability to access information with the ability to limit access to information, this is not necessarily an easy balance to achieve,

personally identifiable information (PII) and metadata about us, is pervasive, from our customer loyalty cards, to our Netflix “suggestions”, to our Tivo viewing habits — this information is pure gold to advertisers (and potentially the big brother government as well) — if we secure one industry and leave these huge gaping holes from which our PII can be accessed, we are still infinitely vulnerable,

regulations such as those being discussed by the NYFS take a point approach to cybersecurity — such as implementing MFA for TPPs. This can help harden TPP access but if users and administrators are not using MFA then they become ripe targets for social engineering or other such attacks that focus on the human element.

stick with what you know: the NYFS probably has some excellent protocols and procedures for regulating the financial industry — though they probably know very little about cybersecurity. With a nationwide shortage of cybersecurity professionals is it wise to put cybersecurity in the hands of any agency that is not dedicated wholly and solely to cybersecurity issues?

The International Organization for Standardization (“ISO”), International Electrotechnical Commission (“IEC”) developed a standard for information security in the mid-1990s and the latest standard is ISO27002:2013. Additionally, the National Institute of Standard and Technology (“NIST”) developed a “Framework for Improving Critical Infrastructure Cybersecurity” (“CSF”). Taken together, the ISO27002:2013 as well as NIST: CSF provide guidelines from which a cybersecurity initiative can be designed and implemented.

If Federal, State, or Local government choose to discuss cybersecurity, I am strongly in favor of doing so. In order to address cybersecurity and to ensure that a complete and cohesive strategy is developed, however, we need to start by focusing on PII, who accesses, who stores it, and who controls it. Once we understand those variables we can begin to examine cybersecurity in the context of PII rather than by looking at a specific industry and making half-baked suggestions on improving cybersecurity issues.

To Illustrate the problem of focusing on a specific industry, consider the following:

Agency develops protocols and procedures for cybersecurity in Industry X;

PII exists in the stream of commerce and, therefore, flows from Industry X to Industry Y;

Industry Y is not subject to same cybersecurity regulation as Industry X;

PII is breached while in Industry Y

Industry Y has no breach notification requirement

Industry Y is not subject to fines, penalties, or damages

This is an admittedly simplistic look at the flow of PII but in focusing on either the technology element or the human element, or one industry, instead of all industries, we run the risk of events such as those above exposing our PII.

Professor William Snyder

Ryan D. White

Ryan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.

Christopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review.

Jennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.)